refactor(sandbox): move secrets to supervisor placeholders#192
Merged
Conversation
8a90c85 to
7488e9e
Compare
…roxy Add e2e tests with dummy echo servers that confirm placeholder-to-secret rewriting works end-to-end through the CONNECT tunnel with L7 REST inspection. Also add Rust unit tests for the full round-trip flow from provider env through header rewriting.
Add two async unit tests in rest.rs verifying that the L7 relay correctly rewrites credential placeholders (and that omitting the resolver leaks them). Clean up test_sandbox_providers.py by consolidating duplicate policy helpers and closure factories (~80 lines removed). Update the local-inference example policy with proper TLS termination config for NVIDIA and OpenCode endpoints.
7488e9e to
26680ed
Compare
Replace the legacy nemo-placeholder:env: prefix with openshell:resolve:env: across all source, test, and documentation files for consistency with the OpenShell product branding.
The echo-server-based proxy rewriting tests run both client and server inside the sandbox, so they only prove the proxy rewrites headers to a destination the sandbox itself controls — not that an external service receives real credentials. Remove the 3 tests and all associated helpers.
…LS config Add opencode network policy with models.dev, registry.npmjs.org, and opencode.ai endpoints. Fix nvidia_inference to include protocol: rest and tls: terminate so the proxy can rewrite credential placeholders. Add correct OpenCode binary paths to both policies.
drew
added a commit
that referenced
this pull request
Mar 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Testing
Closes #112